Challenges

BYOD and cloud services create a set of three new challenges for security, business, and IT managers:

Wider distribution of data onto devices not completely controlled by the data owner

Liability confusion as cloud service providers take on a larger role in business process delivery

Shift in what contributes to a business process' maximum tolerable period of disruption (MTPOD)

Expanded incident response

#1 Wider data distribution

Laptops introduce easy movement of data beyond the organization's trusted internal network. New tools have emerged to help protect the data, including centrally managed encryption solutions. While many organizations took laptop data protection to the next level with mobile device backup, the increasing use of smartphones and tablets creates a gap between valuable distributed data and the contents of organization-managed backups. Closing the gap is critical to protect spreadsheets, documents, etc., containing information created and maintained only on a mobile device.

Figure A

Manufacturing managers have dealt with supply chain issues from the first days of relying on third parties for portions of the finished product or service. This is a more efficient means of providing customers with what they expect. Carrying this one more step, your organization might serve as a tier one and tier two supplier for one or more organizations. When a provider BCE disrupts the flow of critical products and services to your customers, who is liable for customer costs associated with production stoppages? How do you make up lost revenue due to provider failure?

#3 MTPOD

Each business process possesses a specific MTPOD, as shown in Figure B. The MTPOD includes both the time needed to recover failed information resources (RTO) and the time required to start producing output (cycle time). Failing to recover a process within the MTPOD typically results in irreparable damage to the organization.

Figure B

In the past, all resources resided in the internal data center. IT was responsible for managing all disruptions: from software failure, to a bad cable, to a catastrophic event. This is rapidly changing. With the introduction of cloud services into business processes, providers are now an important component in BCP. Infrastructure, platforms, and software in the cloud increasingly create links between the start of a business process and its output. In some cases, a cloud service might be the key element in process recovery.

Incident response

Incident response is integrated into an organization's ability to recover within the MTPOD. However, it is so crucial to recovery, it deserves a separate look.

The accuracy of documented recovery documentation for each component of a critical business process has a direct impact on MTPOD. Organizations must support recovery documentation with monitoring leading to quick identification of a disruption.

Response teams, for both malware infections and hardware/software failure, must practice the steps in the recovery documentation. Practice activities include, among other targets unique to your organization, restoring connectivity, repairing a failed server, recovering a damaged database, recovering a failed switch, recovering from a catastrophic event, etc. Practice results in faster response and adjustments to recovery processes BEFORE an actual BCE.

BYOD and cloud services extend incident response from internal teams to BYOD and cloud service providers. For example, if a home health employee uses a personal laptop to access health care information from a patient's home, what happens when if cellular connectivity (3G/4G) is lost? Who do you call? Have you discussed this potential BCE with relevant carriers? More importantly, has management evaluated the risk associated with this and similar BCEs?

Cloud service disruptions can be a little easier to control, if you address incident response during contract negotiations.

Does the provider maintain up-to-date incident response plans for all information resources for which it is responsible?

How do you ensure incident response documents are maintained and practiced by provider response teams?

Have you clearly defined recovery time objectives (RTOs) for each of your cloud-based information resources? Do you include provider personnel in practice BCE response activities to ensure RTOs are met? What sanctions are in place if providers consistently fail to meet RTOs during practice or actual BCEs?

The final word

Even the best-prepared response teams will fail if BYOD and cloud service ramifications are missing from recovery documentation. Further, internal response teams must work with provider teams to ensure seamless recovery of failed hardware and software: before an actual BCE occurs.

Provider agreements failing to address incident response fail to meet the standards of due diligence required for BCP. Both BYOD and cloud services have become critical components of many organization's business processes. Extending BCP to include these additions to an organization's information resources is not an option.

In the next part of this series, I address how to meet each of the challenges above.

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Full Bio

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.